This configures all URLs in the application to require that the user is logged in and has the privilege named ROLE_USER.

sensitive method

1234

@PreAuthorize("hasRole('ROLE_SYSADMIN')")publicStringgetSensitiveInformation(){return"Only special people are allowed to see this information";}

This ensures that anyone calling this method (either directly or indirectly) must be logged in and have the privilege named ROLE_SYSADMIN.

So far, so straightforward.

The problem is that these role names proliferate across the codebase. Chances are you will want to refer to the same role name in many different places in your application. If these role names were in code, you would typically refactor them out into a single representation as soon as you had two different references to them in the codebase. Unfortunately, this is not so simple with Spring Security.

@PreAuthorize("hasRole(T(com.example.Authority).SYSADMIN.toString())")publicStringgetSensitiveInformation(){return"Still only special people are allowed to see this information";}

Unfortunately IntelliJ Community Edition’s ‘Find Usages’ is not clever enough to return these Spring expression language references, but it does at least feel better than sprinkling identical magic strings across the codebase.